Clickjacking
Explore clickjacking attacks with VeryLazyTech—techniques, exploits, and lazy prevention tips!
Last updated
Was this helpful?
Explore clickjacking attacks with VeryLazyTech—techniques, exploits, and lazy prevention tips!
Last updated
Was this helpful?
Become VeryLazyTech ! 🎁
Follow us on:
✖ Twitter .
👾 Github .
📜 Medium .
📺 YouTube .
📩 Telegram .
🕵️♂️ My Site .
Visit our for e-books and courses. 📚
Clickjacking, also known as UI redressing, is a deceptive cyber attack where users are tricked into clicking on hidden UI elements, performing unintended actions. Attackers leverage iframes and CSS opacity tricks to overlay malicious content on legitimate pages, leading to data theft, account takeovers, or spreading malware.
In this guide, we'll explore how Clickjacking works, real-world attack scenarios, and prevention strategies to mitigate this web security threat.
Clickjacking is an attack where a victim is tricked into clicking something different than what they perceive. This technique exploits web page layering, allowing attackers to load invisible or disguised UI components over a trusted page.
A victim visits a seemingly harmless webpage.
The page embeds an invisible or disguised iframe containing a sensitive action (e.g., enabling a webcam, making a purchase, or liking a post).
The victim interacts with the webpage, unknowingly triggering the hidden action.
The attacker gains access to the unintended action, often leading to security breaches.
Clickjacking attacks vary in complexity, combining JavaScript, CSS, and social engineering tactics. Below are some common exploit techniques:
Attackers overlay an invisible login form over a trusted page. When the victim clicks anywhere, they unknowingly submit credentials.
This technique forces users to drag a disguised malicious element, dropping it into a sensitive area (e.g., file upload, email attachment submission).
In this example, clicking the button actually submits a hidden transaction.
If you have identified an XSS attack that requires a user to click on some element to trigger the XSS and the page is vulnerable to clickjacking, you could abuse it to trick the user into clicking the button/link.
Example: You found a self XSS in some private details of the account (details that only you can set and read). The page with the form to set these details is vulnerable to Clickjacking and you can prepopulate the form with the GET parameters. An attacker could prepare a Clickjacking attack to that page prepopulating the form with the XSS payload and tricking the user into Submit the form. So, when the form is submitted and the values are modified, the user will execute the XSS.
A deceptive technique requiring two clicks: the first click aligns the hidden button, and the second executes the action.
1. Content Security Policy (CSP)
Use frame-ancestors directive to prevent embedding:
2. X-Frame-Options Header
Blocks the site from being loaded in an iframe:
3. Frame Busting JavaScript
Set secure HTTP headers.
Implement user interaction validation (e.g., CAPTCHAs).
Use SameSite cookies to prevent cross-origin access.
Learn & practice
Become VeryLazyTech ! 🎁
✖ Twitter .
👾 Github .
📜 Medium .
📺 YouTube .
📩 Telegram .
🕵️♂️ My Site .
Visit our for e-books and courses. 📚